ENBUILD HELM CHART

This helm chart installs the ENBUILD application.

Hitting a problem? See TROUBLESHOOTING.md — covers the most common install issues (UI proxy returning HTML 404 to API calls, mq-consumer restart loop, ImagePullBackOff, MongoDB password sentinel, etc.) and which of them are chart-side vs cluster-side.

Verify a fresh install: after helm install, run helm test <release> -n <namespace> to exercise the nginx reverse-proxy chain end to end.

Installing the Chart

This Helm chart repository enables you to install a ENBUILD Helm chart directly from it into your Kubernetes cluster. Please refer to the ENBUILD documentation for all the additional details required.

# Let helm the command line tool know about a Helm chart repository
# that we decide to name enbuild.
❯ helm repo add vivsoft https://vivsoftorg.github.io/enbuild

# Update the Helm chart repository.
❯ helm repo update vivsoft

# Search for the ENBUILD Helm chart in the enbuild Helm chart repository.
❯ helm search repo  vivsoft/enbuild
NAME           	CHART VERSION	APP VERSION	DESCRIPTION
vivsoft/enbuild	0.0.12        	1.0.10      	A Helm chart for ENBUILD

# Simplified example on how to install a Helm chart from a Helm chart repository
# named vivsoft in a namespace named enbuild. See the Helm chart's documentation for additional details
# required.
❯ helm upgrade --install  enbuild vivsoft/enbuild --namespace enbuild --create-namespace 

# To install a specific version of the Helm chart.
❯ helm upgrade --install  enbuild vivsoft/enbuild --namespace enbuild --create-namespace  --version 0.0.12

Iron Bank examples:

• Base Iron Bank install: examples/enbuild/quick_install_ib.yaml
• Iron Bank install with Headlamp enabled: examples/enbuild/quick_install_ib_headlamp.yaml
• Headlamp example notes: examples/enbuild/quick_install_ib_headlamp.md

The Iron Bank examples assume the Helm release name is enbuild-ib, which means the generated image pull secret is enbuild-ib-image-pull-secret. If you install with a different release name, update the RabbitMQ and Headlamp pull secret references in the example values accordingly.

Uninstalling the Chart

To uninstall/delete the enbuild deployment:

❯ helm delete --namespace enbuild enbuild

Parameters

Global parameters

Name	Description	Value
global.AppVersion	[default: ""] Provide custom appVersion, to override the default one. All the ENBUILD images will be of the same version. To use indidual tag for each service set the tag on per service basis.	""
global.domain	What domain to use to expose the ENBUILD using istio or Ingress	ijuned.com
global.disable_tls_gitlab	Set to true if you are using self-signed certificates	false
global.ingress.enabled	Should we create the Ingress Resources ?	false
global.ingress.tls	Is Ingress TLS enabled ?	false
global.ingress.tls_secret	If Ingress is TLS enabled, Provide the Secret for the TLS Certificate.	""
global.ingress.classname	Ingress classname if enabled.	""
global.ingress.annotations	Ingress annotations if enabled.	[]
global.istio.enabled	Should we create the Istio Resources ?	false
global.istio.gateway	Istio gateway to use for creating Virtual Service.	istio-system/main
global.image.registry	Container registry to pull images from	registry.gitlab.com
global.image.pullPolicy	Container imagePullPolicy	Always
global.storageClass	Explicit StorageClass to use for stateful dependencies when the cluster has no default StorageClass	""
global.image.registry_credentials	if the image.registry is private container registry, provide the credentials	{}
global.image.registry_credentials.username	Container registry Username	""
global.image.registry_credentials.password	Container registry password	""
global.gitlabRegistryCredentials	Optional GitLab Container Registry credentials. Leave unset on normal deploys; supply via --set at install time when an environment needs to pull images from registry.gitlab.com in addition to the primary global.image.registry.	{}
global.gitlabRegistryCredentials.username	Optional GitLab Container Registry username (or "oauth2" when password is a PAT). Leave unset on normal deploys; supply via --set at install time when an environment needs to pull images from registry.gitlab.com in addition to the primary global.image.registry. Pairs with password below.	""
global.gitlabRegistryCredentials.password	GitLab Container Registry password / PAT (with read_registry scope). NEVER commit a real value; provide via --set or an untracked secrets values file at install time.	""
global.gitlabRegistryCredentials.registry	GitLab Container Registry host. Overridable for self-hosted GitLab instances (rare).	"registry.gitlab.com"

ENBUILD Lightning Features to be enabled

Name	Description	Value
lightning_features.develop_lightning.application	Enable Bolt deployment	false
lightning_features.develop_lightning.models	Enable JupyterHub deployment	false
lightning_features.secure_lightning.ctf	Enable CTF deployment	false
lightning_features.deploy_lightning.infra_lightning	Enable Data Lightning deployment	false
lightning_features.deploy_lightning.data_lightning	Enable Data Lightning deployment	false
lightning_features.deploy_lightning.ai_lightning	Enable AI Lightning deployment	false
lightning_features.operations_lightning.headlamp	Enable Headlamp deployment	false
lightning_features.operations_lightning.monitoring	Enable Loki Stack deployment	false

ENBUILD RabbitMQ parameters

Name	Description	Value
rabbitmq.enabled	Set to false to use existing RabbitMQ	true
rabbitmq.replicaCount	RabbitMQ replicaCount	1
rabbitmq.auth.username	RabbitMQ username	admin
rabbitmq.auth.password	RabbitMQ password	SuperSecret
rabbitmq.auth.erlangCookie	RabbitMQ erlangCookie	lamba
rabbitmq.auth.securePassword	Set to false to make Bitnami RabbitMQ chart honour auth.password instead of generating a random password. Must be false to prevent a PVC-wipe from creating a new random admin password that mismatches the backend connection string.	false
rabbitmq.host	If rabbitmq.enabled is false , provide the right rabbitmq endpoint	""
rabbitmq.queue_prefix	Queue Prefix for all RabbitMQ Queues	enbuild
rabbitmq.image.registry	RabbitMQ image registry	registry.gitlab.com
rabbitmq.image.repository	RabbitMQ image repository	enbuild-staging/vivsoft-platform-ui/rabbitmq
rabbitmq.image.tag	RabbitMQ image tag	3.12.14

ENBUILD Database parameters

Name	Description	Value
mongodb.enabled	Set to true to Deploy the MongoDB.	false
mongodb.mongo_root_username	DB username. If mongodb.enabled this is used to to set the username. Else this is username for existing Cosmos or DocumentDB	""
mongodb.mongo_root_password	DB Password. If mongodb.enabled this is used to to set the password. Else this is password for existing Cosmos or DocumentDB	""
mongodb.mongo_server	If mongodb.enabled is false , provide the right cosmosDB/DocumentDB endpoint	""
mongodb.mongo_endpoint_override	Verbatim MONGODB_ENDPOINT for bk/mq/ai/user. Set this for HA topologies (3-node replicaSet, cosmosDB with auth params) where the assembled mongodb://USER:PW@MONGO_SERVER URI lacks the necessary query string (?replicaSet=...&authSource=admin). When set, MONGO_INITDB_ROOT_USERNAME / PASSWORD / MONGO_SERVER vars are still rendered into the secret (the mongo StatefulSet itself still consumes them) but the BE pods use this URI directly instead of assembling from parts. Leave empty for single-node defaults.	""
mongodb.image.repository	Container repository for mongodb Container	enbuild-staging/vivsoft-platform-ui/mongodb
mongodb.image.tag	Container tag for mongodb Container	4.4.5
mongodb.storageClassName	Explicit StorageClass for MongoDB PVCs. If empty, uses global.storageClass	""

ENBUILD UI Services parameters

Name	Description	Value
enbuildUi.image.repository	Container repository for enbuildUi	enbuild-staging/vivsoft-platform-ui/enbuild-frontend
enbuildUi.image.tag	Container image tag. Skip to use the HelmChart appVersion as Image Tag	undefined
enbuildUi.replicas	Container enbuildUI Replicas	1
enbuildUi.service_type	enbuildUI service_type	ClusterIP
enbuildUi.node_port	enbuildUI node_port	30080
enbuildUi.hostname	enbuild service hostname. enbuildUi.hostname.global.domain becomes your FQDN	enbuild
enbuildUi.kiali_url	kiali_url	/kiali/
enbuildUi.grafana_url	grafana_url	/grafana/d/os6Bh8Omk/kubernetes-cluster?orgId=1&refresh=30s
enbuildUi.loki_url	loki_url	/grafana/d/liz0yRCZz/logs-app?orgId=1
enbuildUi.kubecost_url	kubecost_url	kubecost/overview.html

ENBUILD Backend Services parameters

Name	Description	Value
enbuildBk.image.repository	Container repository for enbuildBk	enbuild-staging/vivsoft-platform-ui/enbuild-backend
enbuildBk.image.tag	Container image tag. Skip to use the HelmChart appVersion as Image Tag	undefined
enbuildBk.replicas	Container enbuildBk Replicas	1
enbuildBk.service_type	enbuildBk service_type	ClusterIP
enbuildBk.encryption_key	encryption_key to be used by Backend	encryption_key
enbuildBk.gitlabPat.existingSecret	Name of an operator-managed Secret carrying GITLAB_TOKEN (and optionally GITLAB_HOST). When set, the deployment adds an envFrom for that secret; the inline GITLAB_TOKEN from enbuildConsumer.gitlab.token is omitted to avoid duplicate envvars. Use this in P1 environments where the PAT is provisioned out-of-band and rotated separately. Backwards-compatible default: empty (uses inline values).	""
enbuildBk.exportSigning.existingSecret	Name of an operator-managed Secret carrying SIEM_SIGNING_KEY (PEM-encoded ECDSA P-256 private key) for the CCM-32 audit export bundle (EN-1237). Strongly preferred over privateKeyPem for production. Backwards-compatible default: empty.	""
enbuildBk.exportSigning.privateKeyPem	Inline PEM private key used to sign /audit/export-bundle responses. Dev/test only; production should use existingSecret. Multiline string. Backwards-compatible default: empty (signing disabled; bundle returns signed=false).	""
enbuildBk.kubeProxyFallbackActor	Headlamp K8sApiProxy fallback actor email. When Headlamp requests carry no X-Actor-Email/JWT, the KubeProxyController falls back to this value. Empty = hardcoded controller default (alice@example.com).	""
enbuildBk.clusterRpcTimeoutMs	ClusterRpcService timeout (ms) for hub-to-agent RPCs. Raise from the 10000 source default to avoid "Lost connection to the cluster" under serial-dispatch agents with concurrent Headlamp requests.	"30000"
enbuildBk.healthProbe.enabled	Enable liveness/readiness probes on enbuild-bk. Set to false on environments where the Terminus RSS threshold causes a death loop from K8sApiProxy /openapi/v2 buffering.	true
enbuildBk.healthProbe.livenessPath	HTTP path for the bk liveness probe. Default is the combined endpoint on the standard released backend; P1-CCM overrides to /api/health/live (heap-only) to keep the RSS dimension out of the liveness check.	"/api/health"
enbuildBk.healthProbe.readinessPath	HTTP path for the bk readiness probe. Default is the combined endpoint; P1-CCM overrides to /api/health/ready (heap + mongo + disk).	"/api/health"
enbuildBk.kubeProxyCache.schemaTtlSeconds	TTL (seconds) for the /openapi/v2 and API-discovery schema cache tier. Empty = source default 300 s.	"300"
enbuildBk.kubeProxyCache.listTtlSeconds	TTL (seconds) for resource-list cache tier. Empty = source default 10 s.	"10"
enbuildBk.kubeProxyCache.maxEntries	LRU entry cap per cache tier. Empty = source default 50.	"50"
enbuildBk.securityTooling.existingSecret	Name of an operator-managed Secret carrying hub-self CCM-13d security-tooling env (TWISTLOCK_API_URL/USERNAME/PASSWORD, ANCHORE_API_URL/USERNAME/PASSWORD, FALCO_CLUSTER_ID, FALCO_WEBHOOK_SECRET, OPA_GATEKEEPER_ENABLED, FALCO_AUDIT_LANE). Added as an envFrom on the bk container. Keeps Big Bang tool creds out of Helm values + rotatable out-of-band; bridges them cross-namespace into the bk pod. Backwards-compatible default: empty (hub-self reports those sources unavailable until set).	""
enbuildBk.installAgent.existingSecret	Name of an operator-managed Secret carrying the 3 sensitive install-agent env vars: GITLAB_TOKEN (gitlab.com PAT for cloning the agent chart repo), ENBUILD_REPO1_USER (registry1.dso.mil pull username), ENBUILD_REPO1_TOKEN (registry1.dso.mil pull token). When set, the deployment adds an envFrom for that secret. When empty (default), the install-agent endpoint 503s on use with a clear error AND NOTES.txt prints a warning at install time. Operator pre-creates via kubectl -n enbuild create secret generic enbuild-install-agent-creds --from-literal=GITLAB_TOKEN=... --from-literal=ENBUILD_REPO1_USER=... --from-literal=ENBUILD_REPO1_TOKEN=.... Rotation = kubectl recreate Secret + rollout restart BE.	""
enbuildBk.installAgent.hubUrl	Hub gRPC endpoint (host:port) the spoke agent dials outbound. Default is the legacy vendor13-ib NLB DNS; override per environment via examples/enbuild/values-.yaml.	enbuild-ib-vendor13.staging.dso.mil:443
enbuildBk.installAgent.tlsServerName	HA-path TLS SAN/SNI override (optional). Set to the hub cert SAN when HUB_URL points at an AWS NLB DNS name (Route53 round-robins per-AZ IPs); spokes dial the DNS + use this for verification. Leave empty for the legacy hostAliases path.	""
enbuildBk.installAgent.hubInternalIps	Legacy CSV of per-AZ NLB IPs for spoke /etc/hosts hostAliases (air-gapped clusters that can't use AWS DNS). Empty by default; the HA path (tlsServerName + DNS) supersedes it.	""
enbuildBk.installAgent.agentImageTag	SHA of the enbuild-agent container image install-agent helm-installs on the spoke. Bump per agent release. Defaults baked in here so a fresh helm install gets a known-good tag without operator action; override via --set on rolls.	ac99ae1830c427a65db31a6874e5d4414d90133f
enbuildBk.installAgent.chartRepo	Git URL of the chart repo install-agent's Job clones to obtain enbuild-core / enbuild-stack / enbuild-agent charts. Default = platform-one-eks; override for forks or alt mirrors.	https://gitlab.com/enbuild-staging/iac-templates/platform-one-eks.git
enbuildBk.installAgent.chartRef	Branch/tag of the chart repo install-agent's Job clones. Default tracks the long-lived integration branch where chart edits land before merge to main.	feat/p1ccm-agent-chart-skeleton
enbuildBk.serviceAccount	Override the BE pod's ServiceAccount. When empty (default), the pod binds to {{ .Release.Name }}-enbuild-bk-installer (minted by enbuild-bk-rbac.yaml; carries the perms install-agent needs). Override only if a deployment mode needs a different SA.	""

ENBUILD USER Services parameters

Name	Description	Value
enbuildUser.image.repository	Container repository for enbuildUser	enbuild-staging/vivsoft-platform-ui/enbuild-user
enbuildUser.image.tag	Container image tag. Skip to use the HelmChart appVersion as Image Tag	undefined
enbuildUser.replicas	Container enbuildUser Replicas	1
enbuildUser.service_type	enbuildUser service_type	ClusterIP

ENBUILD Consumer Services parameters

Name	Description	Value
enbuildConsumer.image.registry	Per-service registry override. Unset → falls back to global.image.registry. Use to consume an mq-consumer image from a non-default registry (e.g. GitLab staging while waiting for an Iron Bank rebuild). Leave unset for normal deployments.	""
enbuildConsumer.image.repository	Container repository for enbuildConsumer	enbuild-staging/vivsoft-platform-ui/enbuild-mq-consumer
enbuildConsumer.image.tag	Container image tag. Skip to use the HelmChart appVersion as Image Tag	undefined
enbuildConsumer.replicas	Container enbuildConsumer Replicas	1
enbuildConsumer.command	Command override for the MQ consumer container	["npm"]
enbuildConsumer.args	Args override for the MQ consumer container	["run","run:mq:all"]

ENBUILD AI Services parameters

Name	Description	Value
enbuildAI.image.repository	Container repository for enbuildAI	enbuild-staging/vivsoft-platform-ui/enbuild-ai
enbuildAI.image.tag	Container image tag. Skip to use the HelmChart appVersion as Image Tag	undefined
enbuildAI.replicas	Container enbuilAI Replicas	1
enbuildAI.service_type	enbuildAI service_type	ClusterIP
enbuildAI.api_key	api_key [default: "dummy"] for OpenAI service if you planning to use OpenAI service	dummy
enbuildAI.ollama.enabled	model_name for OpenAI service.	"ollama/llama3.2"
enbuildAI.model_name	model_name for OpenAI service.	"ollama/llama3.2"
enbuildAI.ollama_endpoint	ollama_endpoint for OpenAI service.	"http://open-webui-ollama:11434"
enbuildAI.serviceAccount.create	Create a dedicated service account for AI pod	false
enbuildAI.serviceAccount.name	Name of service account. If empty, uses release name pattern	""
enbuildAI.serviceAccount.annotations	Annotations for AI service account (e.g., for IRSA)	{}

enbuildBolt Services parameters

Name	Description	Value
enbuildBolt.image.repository	Container repository for enbuildBolt	ghcr.io/vivsoftorg/dev-lightning
enbuildBolt.image.tag	Container image tag. Skip to use the HelmChart appVersion as Image Tag	v1.0.0
enbuildBolt.replicas	Container enbuildBolt Replicas	1
enbuildBolt.service_type	enbuildBolt service_type	ClusterIP

enbuildCTF Services parameters

Name	Description	Value
enbuildCTF.image.repository	Container repository for enbuildCTF	enbuild-staging/vivsoft-platform-ui/enbuild-ctf
enbuildCTF.image.tag	Container image tag. Skip to use the HelmChart appVersion as Image Tag	undefined
enbuildCTF.replicas	Container enbuildCTF Replicas	1
enbuildCTF.service_type	enbuildCTF service_type	ClusterIP
enbuildCTF.debug	Set to true to enable debug mode in CTF backend	true
enbuildCTF.cors_origins	Allowed CORS origins for CTF backend	['http://localhost:5173','http://localhost:5000','http://localhost:3000']
enbuildCTF.log_level	Log level for CTF backend	DEBUG
enbuildCTF.aws_region	AWS region for CTF backend to use AWS services like S3	us-east-1
enbuildCTF.resources.requests.memory	Memory resource request for CTF backend	1Gi
enbuildCTF.resources.requests.cpu	CPU resource request for CTF backend	500m
enbuildCTF.resources.limits.memory	Memory resource limit for CTF backend	1Gi
enbuildCTF.resources.limits.cpu	CPU resource limit for CTF backend	1
enbuildCTF.serviceAccount.create	Create a dedicated service account for CTF pod	false
enbuildCTF.serviceAccount.name	Name of service account. If empty, uses release name pattern	""
enbuildCTF.serviceAccount.annotations	Annotations for CTF service account (e.g., for IRSA)	{}